There's lots of interesting ways to do stuff like this, and I'm quite positive I can't think of them all in this reply. You mentioned not wanting to do port forwarding but all methods will require port forwarding in some form or fashion. Sometimes this is done automatically with the protocol that opportunistically opens a port or you do it manually. There is ways to do things like Port knocking or sending some sort of signal to the firewall and then it will allow the port to be forwarded.
You mentioned also the easiest way and that gets a little more tricky as to what easiest means to you. So in a setup that I do I use PFsense firewalls and I set up port forwarding based on the source DNS name. This allows me to use dynamic DNS to assign that name to whatever IP my management station is on wherever it may be at the current time. The firewalls then allow that IP to be forwarded to something on the other side which could be VNC or an RDP system or something I could SSH into. This is very easy and it avoids the complexity of a VPN at each endpoint that I would need to manage. There are some downsides to this and some risks. If someone was to determine there's a DNS name and hijack the DNS they can simply remap it to their own system. Of course there is a second layer because even when the ports are forwarded and allowed there is authentication that needs to be taken place as well but there is still the possibility of the exploits against whatever we're forwarding through too. So it does rely on a bit of obscurity of having to know that this innocuous dynamic DNS name allows connectivity to these also unknown endpoints. You kind of have to weigh the pros and cons of it. Is it good enough for home connectivity or management of something that has low risk information on it should it be compromised? Yes I think it's probably good enough for that. If you're talking about a corporation with highly sensitive information then it's probably not good enough for that.
You mentioned also the easiest way and that gets a little more tricky as to what easiest means to you. So in a setup that I do I use PFsense firewalls and I set up port forwarding based on the source DNS name. This allows me to use dynamic DNS to assign that name to whatever IP my management station is on wherever it may be at the current time. The firewalls then allow that IP to be forwarded to something on the other side which could be VNC or an RDP system or something I could SSH into. This is very easy and it avoids the complexity of a VPN at each endpoint that I would need to manage. There are some downsides to this and some risks. If someone was to determine there's a DNS name and hijack the DNS they can simply remap it to their own system. Of course there is a second layer because even when the ports are forwarded and allowed there is authentication that needs to be taken place as well but there is still the possibility of the exploits against whatever we're forwarding through too. So it does rely on a bit of obscurity of having to know that this innocuous dynamic DNS name allows connectivity to these also unknown endpoints. You kind of have to weigh the pros and cons of it. Is it good enough for home connectivity or management of something that has low risk information on it should it be compromised? Yes I think it's probably good enough for that. If you're talking about a corporation with highly sensitive information then it's probably not good enough for that.